Table of Contents
In this article, we will cover the concepts of regular and special permissions(SUID and SGID) in Linux. Every file and directory in Linux will always have an associated user and a group owner. The permissions associated with a file or directory are usually divided into three parts: user who owns the file, a group owner and all other users. Each part is further divided into read, write and execute permission with below numeric value assigned to each of them.
4= Read
2= Write
1 = Execute
0 = No Permission
Regular and Special Permissions(SUID and SGID) in Linux
Apart from read, write and execute permission on files and directories, there are some special permissions required to assign to perform some special tasks. These special permissions are divided for the User and Group. Special permissions for user is known as SUID and for group it is SGID. There is another special permission called Sticky bit in Linux. We will see all of them one by one.
1. Set User ID(SUID)
When we want to provide special access to a user to run some command then we need to set SUID bit. One such example can be seen in /usr/bin/passwd command. If you check the permission of this file by using ls -ltr /usr/bin/passwd command then you will see special permission bit s in the fourth alphanumeric character position.
root@localhost:~# ls -ltr /usr/bin/passwd -rwsr-xr-x 1 root root 68208 May 28 2020 /usr/bin/passwd
If you want to set SUID on a file then you need to use u+s option with chmod command as shown below. Here we are setting SUID bit on user section of hello.txt permission using chmod u+s hello.txt command and verifying same by using ls -ltr hello.txt command.
root@localhost:~# chmod u+s hello.txt root@localhost:~# ls -ltr hello.txt -rwSr--r-- 1 root root 0 Jul 8 23:17 hello.txt
If you want to remove SUID bit from a file then you need to use u-s option with chmod command as shown below. Here we are removing SUID bit from user section of hello.txt file permission using chmod u-s hello.txt command and verifying the same by using ls -ltr hello.txt command.
root@localhost:~# chmod u-s hello.txt root@localhost:~# ls -ltr hello.txt -rw-r--r-- 1 root root 0 Jul 8 23:17 hello.txt
2. Set Group ID(SGID)
When SGID bit is set on a directory then all the files under that directory will have the same group as the parent directory and not the group of the user who created all those files. When set on a file then other users would also be able to access that file apart from the owner of that file. This permission is usually used for a file which needs to be shared between multiple users.
The concept of SGID bit can also be explained using a system based command ssh-agent. If you check the permission on this command using ls -ltr /usr/bin/ssh-agent then you can find SGID bit already set on group section of this command permission. The SGID permission bit actually protects this command from ptrace system call which could bypass a passphrase-based Secure Shell (SSH) connection to a remote system. More on Security Strategies in Linux Platforms and Applications.
root@localhost:~# ls -ltr /usr/bin/ssh-agent -rwxr-sr-x 1 root ssh 350504 Mar 9 19:47 /usr/bin/ssh-agent
If you want to set SGID on a file then you need to use g+s option with chmod command as shown below. Here we are setting SGID bit on group section of hello.txt file permission using chmod g+s hello.txt command and verifying the output by using ls -lrt hello.txt command.
root@localhost:~# chmod g+s hello.txt root@localhost:~# ls -lrt hello.txt -rw-r-Sr-- 1 root root 0 Jul 8 23:17 hello.txt
Similarly, if you want to remove SGID bit from a file then you need to use g-s option with chmod command as shown below. Here we are removing SGID bit from group section of hello.txt file permission using chmod g-s hello.txt command and verifying the results by using ls -lrt hello.txt command.
root@localhost:~# chmod g-s hello.txt root@localhost:~# ls -lrt hello.txt -rw-r--r-- 1 root root 0 Jul 8 23:17 hello.txt
3. Sticky Bit
Next important special permission is the Sticky Bit. It can be set to a file or directory so that any user apart from the owner of that file or directory and root user cannot delete or rename that file or directory. Sticky Bit usually needs to be set on a file or directory which all the users have access to but no one should have access to delete or rename it. Like in a case of shared file between multiple users where all the users need to access it to perform some specific task but to protect the file from any accidental deletion, it is always recommended to set sticky bit on it.
We will see an example to understand more about this concept. Let's create a directory hello using mkdir hello command and then change its permission to 777 using chmod 777 hello command.
root@localhost:~# mkdir hello root@localhost:~# chmod 777 hello
Now if you check the permission on this directory by using ls -ltrd hello command then it should show something like below.
root@localhost:~# ls -ltrd hello/ drwxrwxrwx 2 root root 4096 Jul 8 20:57 hello/
Next we can go to hello directory and create some files with different user owners and provide full access to all those files so that every other user can delete or rename those files.
root@localhost:~/hello# ls -ltr total 0 -rwxrwxrwx 1 centos centos 0 Jul 8 20:58 example.txt -rwxrwxrwx 1 test test 0 Jul 8 20:59 demo.txt
Since user is now able to delete or rename files which are not owned by them so to protect those files from any accidental deletion, we will set sticky bit at directory level using chmod +t hello/ command. Here +t option can be used to set the sticky bit as shown below.
root@localhost:~# chmod +t hello/ root@localhost:~# ls -ltrd hello/ drwxrwxrwt 2 root root 4096 Jul 8 20:59 hello/
Similarly, if we want to remove the sticky bit then we need to use -t option as shown below. Here we are removing sticky bit from hello directory using chmod -t hello command and verifying the results using ls -ltrd hello/ command.
root@localhost:~# chmod -t hello/ root@localhost:~# ls -ltrd hello/ drwxrwxrwx 2 root root 4096 Jul 8 20:59 hello/